NATing LAN2, but not IPSec tunnel with the same subnet range

Started by ivoruetsche, Today at 12:03:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 12:03:34 PM
Hi

I have the problem, that we have two subnet with destination 192.168.2.0/24, one is direct connected to OPNsense (26.01), the other via IPSec:

LAN1: 10.16.5.254/24
LAN2: 192.168.2.3/24
IPSec destination: 192.168.2.0/24

The hosts in the LAN2 subnets should see the hosts from LAN1 with the GW IP 192.168.2.3, reachable from 10.16.5.0 subnet with 192.168.22.0 and no communication back to 10.16.5.0, so only one-way.

The hosts on remote subnet via IPSec must be reachable from LAN1, but not from LAN2 with 192.168.2.0 addresses, also from the remote 192.168.2.0 subnet, the 10.16.5.0 hosts must be reachable.

I try 1:1 NAT, Outgoing NAT, Destination NAT and some combinations of then, Filter roles with and without gateways, no luck. At the most of the configurations, the traffic goes via IPSec, but not to LAN2 or was not NATed.

Any hints are welcome.

Thanks a lot
Ivo
Today at 12:25:39 PM #1
Renumber one of the locations.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 01:33:10 PM #2 Last Edit: Today at 01:36:35 PM by ivoruetsche
:-) Hehe, would be nice if I can do that.

This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
Today at 03:21:22 PM #3
You can translate (nat) the remote subnet into something else, but this must be done on the remote site.

With overlapping subnets locally and in the IPSec policy, routing is not going to work at all.
Print
Go Up Pages1
User actions